Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Needle in the Haystack

Published byNorah Martin Modified over 6 years ago

Similar presentations

Presentation on theme: "The Needle in the Haystack"— Presentation transcript:

1 The Needle in the Haystack
Jasper Bongertz 17 June 2015

2 The Needle in the Haystack
In an incident response situation at least one Indicator of Compromise has been found already The haystack is all of the IT infrastructure that needs to be checked: Clients Servers Network ISP uplinks 20 November 2018

3 Looking for the Needle The challenge:
The Needle in the Haystack Looking for the Needle The challenge: Telling what systems have really been compromised So how do we usually do that? Looking at: file systems log files firewall rule tables sensor hits (IDS/IPS/NSM/AV/Sandboxes) documentation 20 November 2018

4 The Needle in the Haystack
Looking at the network Network forensics can be an effective way to spot potential „Needles“ No matter how good malware hides, it‘ll use the network sooner or later „No place to hide“ if sniffing packets at the right spot Challenges: Sniffing packets at the „right spot“ Scanning through gazillions of packets, looking for IoCs Bild: CDS 20 November 2018

5 Best practices Looking at Internet uplinks
The Needle in the Haystack Best practices Looking at Internet uplinks Usually there are only a couple of them Problem: undocumented/“rogue“ uplinks Inspecting DNS Can be stored a long time, e.g. using PassiveDNS Finding CnC patterns: Answers containing Loopback addresses High amount of errors like „no such name“ Domain Generation Algorithms Still need to sort out false positives Bild: Generic Brochure 20 November 2018

6 Best practices Leveraging NetFlow
The Needle in the Haystack Best practices Leveraging NetFlow Long term storage of metadata of communication flows Helps tracking lateral movement of attackers and building timelines Can also be used for event correlation Baselining suspicious systems Record everything it does Using SPAN ports/TAPs Pinpoint assets that require file system forensics Bild: Advanced Forensics 20 November 2018

7 The Needle in the Haystack
Demo 20 November 2018

8 Thank you! Questions? 20 November 2018

Download ppt "The Needle in the Haystack"

Similar presentations

Case study : The curious mr. x

Case study : The curious mr. x
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.

Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
COEN 252 Computer Forensics Collecting Network-based Evidence.

COEN 252 Computer Forensics Collecting Network-based Evidence.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO 760.542.1550 x4242 Cloud Network Defense.

1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO x4242 Cloud Network Defense.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.

Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Similar presentations

Ads by Google